DNS Blocking

• Previous message (by thread): DNS Blocking
• Next message (by thread): DNS Blocking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> > danm at prime.gushi.org ("Dan Mahoney, System Admin") writes:
> >
> >> What I was basically asking for was a "silently drop queries for X-domain"
> >> option.  But one doesn't exist in bind.
> >
> > take a look at www.as112.net to see what happens to queries for
> > 10.in-addr.arpa and its brothers.  you can easily set up a zone
>
> There weren't rfc1918.

Doesn't matter.  But in order for this trick to work:

  - The things sending you queries must be able to receive your
    replies.  I believe you said that source addresses are spoofed,
    so this may not be the case.

  - The things sending you queries must be smart enough to follow
    the NS referral in the response.

If I wanted to silently drop DNS queries based on the query name,
I might use FreeBSD's divert socket and a Perl script to examine
the queries.  Not sure well that would scale though.

Duane W.

• Previous message (by thread): DNS Blocking
• Next message (by thread): DNS Blocking
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]